Chapter 1. Getting started using the RHEL web console

Learn how to install the Red Hat Enterprise Linux 9 web console, how to add and manage remote hosts through its convenient graphical interface, and how to monitor the systems managed by the web console.

1.1. What is the RHEL web console

The RHEL web console is a Red Hat Enterprise Linux web-based interface designed for managing and monitoring your local system, as well as Linux servers located in your network environment.

The RHEL web console enables you to perform a wide range of administration tasks, including:

  • Managing services
  • Managing user accounts
  • Managing and monitoring system services
  • Configuring network interfaces and firewall
  • Reviewing system logs
  • Managing virtual machines
  • Creating diagnostic reports
  • Setting kernel dump configuration
  • Configuring SELinux
  • Updating software
  • Managing system subscriptions

The RHEL web console uses the same system APIs as you would use in a terminal, and actions performed in a terminal are immediately reflected in the RHEL web console.

You can monitor the logs of systems in the network environment, as well as their performance, displayed as graphs. In addition, you can change the settings directly in the web console or through the terminal.

1.2. Installing and enabling the web console

To access the RHEL 9 web console, first enable the cockpit.socket service.

Red Hat Enterprise Linux 9 includes the RHEL 9 web console installed by default in many installation variants. If this is not the case on your system, install the cockpit package before enabling the cockpit.socket service.

Procedure

  1. If the web console is not installed by default on your installation variant, manually install the cockpit package: 

    # dnf install cockpit

  2. Enable and start the cockpit.socket service, which runs a web server: 

    # systemctl enable --now cockpit.socket

  3. If the web console was not installed by default on your installation variant and you are using a custom firewall profile, add the cockpit service to firewalld to open port 9090 in the firewall: 

    # firewall-cmd --add-service=cockpit --permanent
# firewall-cmd --reload

Verification steps

1.3. Logging in to the web console

When the cockpit.socket service is running and the corresponding firewall port is open, you can log in to the web console in your browser for the first time.

Prerequisites

  • Use one of the following browsers to open the web console:

    • Mozilla Firefox 52 and later
    • Google Chrome 57 and later
    • Microsoft Edge 16 and later

  • System user account credentials

    The RHEL web console uses a specific pluggable authentication modules (PAM) stack at /etc/pam.d/cockpit. The default configuration allows logging in with the user name and password of any local account on the system.

  • Port 9090 is open in your firewall.

Procedure

  1. In your web browser, enter the following address to access the web console: 

    https://localhost:9090
    Note

    This provides a web-console login on your local machine. If you want to log in to the web console of a remote system, see Section 1.6, “Connecting to the web console from a remote machine”

    If you use a self-signed certificate, the browser displays a warning. Check the certificate, and accept the security exception to proceed with the login.

    The console loads a certificate from the /etc/cockpit/ws-certs.d directory and uses the last file with a .cert extension in alphabetical order. To avoid having to grant security exceptions, install a certificate signed by a certificate authority (CA).

  2. In the login screen, enter your system user name and password.
  3. Click Log In.

After successful authentication, the RHEL web console interface opens.

Note

To switch between limited and administrative access, click Administrative access or Limited access in the top panel of the web console page. You must provide your user password to gain administrative access.

1.4. Changing the default style setting for the web console

By default, the web console adopts its style setting from the setting of your browser. You can override the default style setting from your RHEL 9 web console interface.

Prerequisites

Procedure

  1. Log in to the RHEL web console. For details, see Logging in to the web console.
  2. In the upper right corner, click the Session button.
  3. In the section Style, choose the preferred setting. The Default setting uses the same style setting as your browser.

Verification steps

  1. The style setting has changed according to set style.

1.5. Disabling basic authentication in the web console

You can modify the behavior of an authentication scheme by modifying the cockpit.conf file. Use the none action to disable an authentication scheme and only allow authentication through GSSAPI and forms.

Prerequisites

  • The web console is installed and accessible. For details, see Installing the web console.
  • You have root privileges or permissions to enter administrative commands with sudo.

Procedure

  1. Open or create the cockpit.conf file in the /etc/cockpit/ directory in a text editor of your preference, for example: 

    # vi cockpit.conf

  2. Add the following text: 

    [basic]
action = none
  3. Save the file.

  4. Restart the web console for changes to take effect. 

    # systemctl try-restart cockpit

1.6. Connecting to the web console from a remote machine

You can connect to your web console interface from any client operating system and also from mobile phones or tablets.

Prerequisites

  • A device with a supported internet browser, such as:

    • Mozilla Firefox 52 and later
    • Google Chrome 57 and later
    • Microsoft Edge 16 and later
  • RHEL 9 server you want to access with an installed and accessible web console.

Procedure

  1. Open your web browser.

  2. Type the remote server’s address in one of the following formats:

    1. With the server’s host name: 

      https://<server.hostname.example.com>:<port-number>

      For example: 

      https://example.com:9090

    2. With the server’s IP address: 

      https://<server.IP_address>:<port-number>

      For example: 

      https://192.0.2.2:9090
  3. After the login interface opens, log in with your RHEL system credentials.

1.7. Connecting to the web console from a remote machine as a root user

On new installations of the RHEL 9.2 or later, the RHEL web console disables root account logins by default due to security reasons. You can allow the root login in the /etc/cockpit/disallowed-users file.

Prerequisites

Procedure

  1. Open the disallowed-users file in the /etc/cockpit/ directory in a text editor of your preference, for example: 

    # vi /etc/cockpit/disallowed-users

  2. Edit the file and remove the line for the root user: 

    # List of users which are not allowed to login to Cockpit root
 
  3. Save the changes and quit the editor.

Verification

1.8. Logging in to the web console using a one-time password

If your system is part of an Identity Management (IdM) domain with enabled one-time password (OTP) configuration, you can use an OTP to log in to the RHEL web console.

Important

It is possible to log in using a one-time password only if your system is part of an Identity Management (IdM) domain with enabled OTP configuration.

Prerequisites

  • The RHEL web console has been installed.
  • An Identity Management server with enabled OTP configuration.
  • A configured hardware or software device generating OTP tokens.

Procedure

  1. Open the RHEL web console in your browser:

    • Locally: https://localhost:PORT_NUMBER
    • Remotely with the server hostname: https://example.com:PORT_NUMBER

    • Remotely with the server IP address: https://EXAMPLE.SERVER.IP.ADDR:PORT_NUMBER

      If you use a self-signed certificate, the browser issues a warning. Check the certificate and accept the security exception to proceed with the login.

      The console loads a certificate from the /etc/cockpit/ws-certs.d directory and uses the last file with a .cert extension in alphabetical order. To avoid having to grant security exceptions, install a certificate signed by a certificate authority (CA).

  2. The Login window opens. In the Login window, enter your system user name and password.
  3. Generate a one-time password on your device.
  4. Enter the one-time password into a new field that appears in the web console interface after you confirm your password.
  5. Click Log in.
  6. Successful login takes you to the Overview page of the web console interface.

1.9. Rebooting the system using the web console

You can use the web console to restart a RHEL system that the web console is attached to.

Prerequisites

Procedure

  1. Log into the RHEL web console. For details, see Logging in to the web console.

  2. In the Overview page, click the Reboot button.

    cockpit system restart pf4

  3. If any users are logged in to the system, you can write a message about the restart in the Reboot dialog box.

  4. Optional: In the Delay drop down list, select a time interval for the reboot delay.

    cockpit restart delay pf4

  5. Click Reboot.

1.10. Shutting down the system using the web console

You can use the web console to shut down a RHEL system that the web console is attached to.

Prerequisites

Procedure

  1. Log into the RHEL web console.

    For details, see Logging in to the web console.

  2. Click Overview.

  3. In the Restart drop down list, select Shut Down.

    cockpit system shutdown pf4

  4. If any users are logged in to the system, write a reason for the shutdown in the Shut Down dialog box.
  5. Optional: In the Delay drop down list, select a time interval.
  6. Click Shut Down.

1.11. Configuring time settings using the web console

You can set a time zone and synchronize the system time with a Network Time Protocol (NTP) server.

Prerequisites

Procedure

  1. Log in to the RHEL web console.

    For details, see Logging in to the web console.

  2. Click the current system time in Overview.

    RHEL web console

  3. Click System time.
  4. In the Change System Time dialog box, change the time zone if necessary.

  5. In the Set Time drop down menu, select one of the following:

    Manually
    Use this option if you need to set the time manually, without an NTP server.
    Automatically using NTP server
    This is a default option, which synchronizes time automatically with the preset NTP servers.
    Automatically using specific NTP servers
    Use this option only if you need to synchronize the system with a specific NTP server. Specify the DNS name or the IP address of the server.

  6. Click Change.

    RHEL web console

Verification steps

  • Check the system time displayed in the System tab.

Additional resources

1.12. Disabling SMT to prevent CPU security issues using the web console

Disable Simultaneous Multi Threading (SMT) in case of attacks that misuse CPU SMT. Disabling SMT can mitigate security vulnerabilities, such as L1TF or MDS.

Important

Disabling SMT might lower the system performance.

Prerequisites

Procedure

  1. Log in to the RHEL web console. For details, see Logging in to the web console.
  2. In the Overview tab find the System information field and click View hardware details.

  3. On the CPU Security line, click Mitigations.

    If this link is not present, it means that your system does not support SMT, and therefore is not vulnerable.

  4. In the CPU Security Toggles table, turn on the Disable simultaneous multithreading (nosmt) option.
  5. Click the Save and reboot button.

After the system restart, the CPU no longer uses SMT.

Additional resources

1.13. Adding a banner to the login page

You can set the web console to show a content of a banner file on the login screen.

Prerequisites

  • The web console is installed and accessible.

    For details, see Installing the web console.

  • You have root privileges or permissions to enter administrative commands with sudo.

Procedure

  1. Open the /etc/issue.cockpit file in a text editor of your preference: 

    # vi /etc/issue.cockpit

  2. Add the content you want to display as the banner to the file, for example: 

    This is an example banner for the RHEL web console login page.

    You cannot include any macros in the file, but you can use line breaks and ASCII art.

  3. Save the file.

  4. Open the cockpit.conf file in the /etc/cockpit/ directory in a text editor of your preference, for example: 

    # vi /etc/cockpit/cockpit.conf

  5. Add the following text to the file: 

    [Session]
Banner=/etc/issue.cockpit
  6. Save the file.

  7. Restart the web console for changes to take effect. 

    # systemctl try-restart cockpit

Verification steps

  • Open the web console login screen again to verify that the banner is now visible:

    Example banner

1.14. Configuring automatic idle lock in the web console

You can enable the automatic idle lock and set the idle timeout for your system through the web console interface.

Prerequisites

  • The web console must be installed and accessible.

    For details, see Installing the web console.

  • You have root privileges or permissions to enter administrative commands with sudo.

Procedure

  1. Open the cockpit.conf file in the /etc/cockpit/ directory in a text editor of your preference, for example: 

    # vi /etc/cockpit/cockpit.conf

  2. Add the following text to the file: 

    [Session]
IdleTimeout=<X>

    Substitute <X> with a number for a time period of your choice in minutes.

  3. Save the file.

  4. Restart the web console for changes to take effect. 

    # systemctl try-restart cockpit

Verification steps

  • Check if the session logs you out after a set period of time.